now this works great, every incomming request gets dropped
the problem is I would like to allow port 80 and 53 to be reached from outside, the same I did in ipv4 with port forward (block everything while allow specific port to be reached)
for example
would like to allow only port 80 and 53 here: 2a00:ee2:900:e700:5c47:2365:b1d2:67d
while blocking everyhing else on every other ip
Hi
does someone know why something like this: http://www.ipv6scanner.com/cgi-bin/main.py
reports ports as being filtered instead of closed, how can a tool know if a port is blocked by firewall or it is closed?
can I change my firewall rules so ports will aphear closed not filtered?
It’s action=drop, it silently discards packets and ports will show as filtered. If you use action=reject instead, router will send back info about closed ports. By default, if you don’t have any firewall, closed ports send back either tcp reset or icmp port unreachable. There are also other icmp messages you can send, but I don’t remember exactly how scanners interpret them.
Drop just discards packets, reject sends extra packets back, so it’s more expensive. On the other hand, you’ll hardly see any difference, maybe if someone will be DDoSing you, but not otherwise.
But reject is cleaner solution and makes debugging easier, because if something is blocked by mistake, you get clear info. With drop you’ll have only timeout and then you can wonder what’s wrong.
Some believe that drop is safer, because it hides device from bad guys, but that’s debatable.
Is there another way to specify a port for a specific ipv6 client other than by ip in Forward - Firewall? My ipv6 is dynamic, it can always be changing the range, it would always have to be changing the rule. I’ve already tried Bridge Port Out, but apparently in Forward this option doesn’t work.